-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1997.19: Vulnerabilities in NetKit-B Caldera Security Advisory SA-1997.19 RPM build date: 26-Jul-1997 (for netkit-base) Advisory issue date: 22-Sep-1997 Topic: Vulnerabilities in NetKit-B I. Problem Description There are several vulnerabilities in the network tools from the NetKit-B package. rshd, rlogind, and rexecd wouldn't close all file descriptors, including that of /etc/shadow. With the right setup, any user coming in via rsh or rlogin could thereby read /etc/shadow. rshd/rlogind would print different messages for non-existent users or wrong password. rusersd had some buffer overflows. fingerd wouldn't drop privileges if it failed to open /etc/passwd. Mostly a theoretical problem because it's quite difficult to create a file handle starvation, and there aren't currently any known other problems that could be exploited. bsd-finger-0.10 fixes a denial of service situation where users' .plan or .project files are named pipes. netkit-inetd-0.10 fixes an issue with group list handling that could cause trouble if inetd were restarted from the command line. This is presently believed to be a non-issue but it never hurts to be careful. netkit-inetd-0.10 fixes a denial of service problem with the daytime port. This release fixes a mistake in rlogind that could have security implications (the previous version honored hosts.equiv for root, which is contrary to the specification.) This release also fixes a problem with the PAM support wherein it was possible for a remote user to distinguish between wrong passwords and nonexistent usernames. This release fixes a problem in tftpd that tftp clients could exploit to read any file on the system readable by the user tftpd ran under. II. Impact NetKit-B was present on the following OpenLinux releases: CND 1.0 Base 1.0 Lite 1.1 Base 1.1 Standard 1.1 To determine if you are effected and need this update you may do the following: rpm -q NetKit-B If the results show that any version of NetKit-B is installed, then you will need to update. III. Solution Replace NetKit-B with the netkit-0.10 packages. They can be found on Caldera's ftp site at: ftp://www.caldera.com/pub/openlinux/updates/1.1/current/RPMS/ and ftp://www.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/ for the sources. The MD5 checksums (from the "md5sum" command) for these packages are: 1137a1e04fa16170b5a56c2a4ecb965e RPMS/bsd-finger-0.10-2.i386.rpm a7cab9168896e683cc942b8bf14d1983 RPMS/netkit-base-0.10-1.i386.rpm 499f0a5fd72c17967271a763812524f4 RPMS/netkit-bootparamd-0.10-1.i386.rpm d14993032bf1298e6604aaacb34587f3 RPMS/netkit-ftp-0.10-2.i386.rpm 68509512b790106edb4f0331d71c1ac4 RPMS/netkit-ntalk-0.10-1.i386.rpm a3f6d5f8172c616f623e8e86147f756a RPMS/netkit-routed-0.10-1.i386.rpm 732ac460d808877e37a10e7b56c744c6 RPMS/netkit-rsh-0.10-3.i386.rpm e42a6d77ed1ddbc8380b6b4ecdd61613 RPMS/netkit-rusers-0.10-2.i386.rpm 9502e684e8f476dd21e05e37ecc0b1dd RPMS/netkit-rwall-0.10-3.i386.rpm 441a5b897578f7b9f46ee44f8d5df49e RPMS/netkit-rwho-0.10-1.i386.rpm 30fb248281c733309ff9a973fcd33c20 RPMS/netkit-telnet-0.10-1.i386.rpm bb982ac6c87a745717f248e14e7f62f2 RPMS/netkit-tftp-0.10-1.i386.rpm 51bf07055ce92d7a38832289f9cf8e74 RPMS/netkit-timed-0.10-1.i386.rpm eb0acd95225a4aa27644d9b859ea9931 SRPMS/bsd-finger-0.10-2.src.rpm 94a0d9c6f9c70b2b5ee2a0980903d772 SRPMS/netkit-base-0.10-1.src.rpm b22471b45e999b64eeef72035ac6d69e SRPMS/netkit-bootparamd-0.10-1.src.rpm 5712584af2fb1a795a80b200789a9176 SRPMS/netkit-ftp-0.10-2.src.rpm 115f9b638058c761bb5e688c997c275b SRPMS/netkit-ntalk-0.10-1.src.rpm 85037fba6e8e8e61cae09777ac2c4ba5 SRPMS/netkit-routed-0.10-1.src.rpm 04bb9835a99840a71b2670f39a4addf5 SRPMS/netkit-rsh-0.10-3.src.rpm d3d4cdf93934f0e0fb4476394ea69737 SRPMS/netkit-rusers-0.10-2.src.rpm fcadb7fd9c47fd421f80f17a22750370 SRPMS/netkit-rwall-0.10-3.src.rpm 013c01c54398aa693a3319c2dadd26bb SRPMS/netkit-rwho-0.10-1.src.rpm 377726693dafd2fe03345f94b1b160e8 SRPMS/netkit-telnet-0.10-1.src.rpm 35909f6d4f96c7242c3e5297d9beec35 SRPMS/netkit-tftp-0.10-1.src.rpm bdc9fff6f6aa2df64c2936acbc9aab29 SRPMS/netkit-timed-0.10-1.src.rpm Since these are network applications, it is recommended that you bring the system down to single user mode to make the changes. Do the following: 1) Login as root from the console of the system when no other users are logged on 2) Type 'telinit 1' (This will bring the system down to single user mode. You will be prompted to enter the root password for maintanance.) 3) Enter the root password and change to the directory containing the binary RPMs. 4) Type the following: rpm -e NetKit-B rpm -i netkit-base-0.10-1.i386.rpm rpm -i netkit-bootparamd-0.10-1.i386.rpm rpm -i netkit-ftp-0.10-2.i386.rpm rpm -i netkit-ntalk-0.10-1.i386.rpm rpm -i netkit-routed-0.10-1.i386.rpm rpm -i netkit-rsh-0.10-3.i386.rpm rpm -i netkit-rusers-0.10-2.i386.rpm rpm -i netkit-rwall-0.10-3.i386.rpm rpm -i netkit-rwho-0.10-1.i386.rpm rpm -i netkit-telnet-0.10-1.i386.rpm rpm -i netkit-tftp-0.10-1.i386.rpm rpm -i netkit-timed-0.10-1.i386.rpm rpm -i bsd-finger-0.10-2.i386.rpm 5) Logout from the maintenance shell. (The system will return to the default runlevel.) Note: after netkit-base-0.10-1 is installed, you will see the message, "Please kill and restart inetd manually." This message is generated by the RPM. Since you are in single user mode, inetd has already been killed. When you logout, the system will be brought back to the default runlevel, and inetd will start again automatically. Hence, if you upgrade in the manner described above, you can ignore this message. IV. References This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ This closes Caldera's internal problem reports #552 and #803. V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1997.19,v 1.1 1997/09/22 22:08:16 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNCbsjen+9R4958LpAQHSjgP/YESA5Hu6SQwiwqcVfe8KPhb73sYrp7VH uUiRu5uVSa8zJJ3zuVRLRHX6XmcLaxmky9Olk1t02lKE4VQ6HTcFGkUdxR+U7Muh qVJp5ZJOj7iBZi3w8Td+hEVNBOQ3X53DWVl1g+mfNDYHZTiaESkJIKlNAZHNvTR9 QrnMExID1Ik= =sQzW -----END PGP SIGNATURE-----